search

containrrr / watchtower

A process for automating Docker container base image updates.
https://containrrr.dev/watchtower/
Apache License 2.0
19.78k stars 874 forks source link

Not using the helper with aws ecr #1572

Open ishwinder opened 1 year ago

ishwinder commented 1 year ago

Describe the bug

I have been trying to get this working with amazon ecr but somehow it doesn't use the helper with ecr.

my docker-compose.yml

version: "3"
services:
  watchtower:
    image: index.docker.io/containrrr/watchtower:latest
    command: --interval 180
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/ubuntu/.docker/config.json:/config.json
      - helper:/go/bin
    environment:
      - HOME=/
      - PATH=$PATH:/go/bin
      - AWS_REGION=ap-south-1
      - AWS_ACCESS_KEY_ID=<key>
      - AWS_SECRET_ACCESS_KEY=<secret>
      - WATCHTOWER_DEBUG=true
volumes:
  helper:
    external: true

The helper volume Dockerfile is a copy paste from documentation here .. https://containrrr.dev/watchtower/private-registries/

Appreciate any help in this regard.

Steps to reproduce

  1. posted everything in description

Expected behavior

watchtower should be able to use the docker-credentials helper to login to the ecr

Screenshots

No response

Environment

Your logs

time="2023-03-01T14:03:30Z" level=debug msg="Trying to load authentication credentials." container=/loving_johnson image="<ecr>:latest"
time="2023-03-01T14:05:04Z" level=debug msg="Loaded auth credentials for user , on registry <ecr>:latest, from file /config.json"
time="2023-03-01T14:05:04Z" level=debug msg="Got image name: <ecr>:latest"
time="2023-03-01T14:05:04Z" level=debug msg="Credentials loaded"
time="2023-03-01T14:05:04Z" level=debug msg="Checking if pull is needed" container=/loving_johnson image="<ecr>:latest"
time="2023-03-01T14:05:04Z" level=debug msg="Building challenge URL" URL="https://<ecr>/v2/"
time="2023-03-01T14:05:34Z" level=debug msg="Could not do a head request for \"<ecr>:latest\", falling back to regular pull." container=/loving_johnson image="<ecr>"
time="2023-03-01T14:05:34Z" level=debug msg="Reason: Get \"https://<ecr>/v2/\": dial tcp 13.232.243.185:443: i/o timeout" container=/loving_johnson image="1<ecr>:latest"
time="2023-03-01T14:05:34Z" level=debug msg="Pulling image" container=/loving_johnson image="<ecr>:latest"
time="2023-03-01T14:05:34Z" level=debug msg="Error pulling image <ecr>:latest, Error response from daemon: Head \"https://<ecr>/v2/<name>/manifests/latest\": no basic auth credentials"
time="2023-03-01T14:05:34Z" level=info msg="Unable to update container \"/loving_johnson\": Error response from daemon: Head \"https://<ecr>/v2/ft_app_new/manifests/latest\": no basic auth credentials. Proceeding to next."
time="2023-03-01T14:05:34Z" level=debug msg="Could not do a head request for \"<ecr>:latest\", falling back to regular pull." container=/loving_johnson image="<ecr>"
time="2023-03-01T14:05:34Z" level=debug msg="Reason: Get \"https://<ecr>/v2/\": dial tcp 13.232.243.185:443: i/o timeout" container=/loving_johnson image="1<ecr>:latest"
time="2023-03-01T14:05:34Z" level=debug msg="Pulling image" container=/loving_johnson image="<ecr>:latest"
time="2023-03-01T14:05:34Z" level=debug msg="Error pulling image <ecr>:latest, Error response from daemon: Head \"https://<ecr>/v2/<name>/manifests/latest\": no basic auth credentials"
time="2023-03-01T14:05:34Z" level=info msg="Unable to update container \"/loving_johnson\": Error response from daemon: Head \"https://<ecr>/v2/ft_app_new/manifests/latest\": no basic auth credentials. Proceeding to next."

Additional context

I think the problem is this line time="2023-03-01T14:05:04Z" level=debug msg="Loaded auth credentials for user , on registry :latest, from file /config.json", here its not able to find the username

github-actions[bot] commented 1 year ago

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

zoispag commented 1 year ago

If it helps, my Dockerfile is this:

FROM golang:1.16 as ecr-helper

ENV CGO_ENABLED 0
ENV GO111MODULE off
ENV REPO github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login

RUN go get -u $REPO && \
    rm /go/bin/docker-credential-ecr-login && \
    go build \
      -o /go/bin/docker-credential-ecr-login \
      /go/src/$REPO

WORKDIR /go/bin/

FROM containrrr/watchtower:latest

ENV HOME='/'
ENV PATH="{$PATH}:/go/bin"

ENV AWS_REGION='eu-central-1'

COPY --from=ecr-helper /go/bin /go/bin
ishwinder commented 1 year ago

@zoispag thanks for taking a look, let me try this.

ishwinder commented 1 year ago

Seems like the same issue, not sure how its different from explicitly mounting the binary as shown in the documentation

docker run  -d --rm --name aws-cred-helper \
  --volume helper:/go/bin aws-ecr-dock-cred-helper
Rubens-Gasparotto commented 1 year ago

Finally got this working with ECR

I followed all the steps from watchtower docs, but using the Dockerfile of @zoispag just changing version of golang to 1.19

My watchtower docker-compose.yml

version: "3.4"

volumes:
 helper:
   external: true

services:
 watchtower:
   image: containrrr/watchtower:latest
   container_name: watchtower
   volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /home/ec2-user/.docker/config.json:/config.json
     - /home/ec2-user/.aws:/.aws
     - helper:/go/bin
   environment:
     HOME: /
     PATH: $PATH:/go/bin
     AWS_REGION: "us-east-1"
     WATCHTOWER_CLEANUP: "true"
     WATCHTOWER_INCLUDE_RESTARTING: "true"
     WATCHTOWER_INCLUDE_STOPPED: "true"
     WATCHTOWER_SCHEDULE: 0 0 0 * * *
     TZ: America/Sao_Paulo
   restart: always
Crinchy commented 1 month ago

Hey @Rubens-Gasparotto

what are you using to authorize against ECR, if you want to pull and start a container the first time?